1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003.

1

Information Systems 7/1/03Tom Coppeto

MIT Mail System

Security Issues

1 July 2003

2


Agenda

• Introduction to the mail system

• Authentication

• Virus Filtering

3


The Mail System

Mailhub

Internet

MIT Users

DMZ(MX mit.edu)

Outgoing

Post Office

Other MITMailers

4


The Mail System Acronymified

MTA

InternetMTA

MUA/MSAMAA

MTA

MTA

MTA/MDA

Other MITMTA

MUA: MAIL USER AGENTMSA: MAIL SUBMISSION AGENTMTA: MAIL TRANSFER AGENTMDA: MAIL DELIVERY AGENTMAA: MAIL ACCESS AGENT

5


SMTP Authentication

• MIT mail relays abused by spammers• Outgoing is a quasi-open relay• Need to further tighten outgoing to stop

this• The answer is SMTP authentication

• Only authorized users should be allowed to be an MSA and all MTA’s should not permit open relaying

6


SMTP Authentication (2)

• Benefits:– Reduction in mail abuse– Protected transfer of email messages– Gets around ISP’s who filter normal smtp traffic

• Costs:– Additional complexity in configuration

• Though not much– Older applications will need updating– System->system mail will require more work

7


SMTP Authentication (3)

• Secure transport (encryption)

• Authentication

8


SMTP Secure Transport

• The great thing about standards is that there are so many to choose from

• SMTPS– Tunnels SMTP within secure transport (SSL)– Supported by some clients such as outlook,

entourage and Apple Mail• SMTP/TLS

– RFC 3207– Negotiates secure transport within SMTP (port

25)– Supported by some clients such as eudora 5.1

and Apple Mail• The moral of the story is switch to a mac

9


Ports For Every Harbor

• SMTP (25)– Traditional standard for mail transport and submission– IETF standards include STARTTLS

• SMTPS (465)– Intended for SMTP over SSL– Revoked by the IETF– Some apps still use this

• SMTP/TLS (587)– “submission” (MSA) port– Deprecated in favor of 25

• ISP’s block 25 so this doesn’t solve the roaming problem and ISP’s don’t allow you to maintain your own identity

• “It may be that the SMTP transport will self-destruct by failing to provide connectivity sufficient to be useful”– Bob Frankston

10


Our Goals

• Secure transport for all MSA transactions• Require authentication• Support popular applications such as

– Outlook – Eudora– Entourage– Apple Mail– Netscape

• MIT users to be able to roam about Interland without:– Loss of identity– Difficult reconfiguration– Special network setups

11


Our Solution

• Support SMTPS on 465– This may whither away

• Support STARTTLS on 587– STARTTLS is a current standard– 587, although deprecated, is in

widespread use as the MSA port– We won’t permit STARTTLS to negotiate

insecure connections• Deprecate port 25

12


Future Issues

• This area is a mess– Applications vary– Spammers & witch hunts for open relays– Changing standards– ISP filtering

• May get more sophisticated than a simple port filter

– ISP not interested in you being able to easily switch providers

• We’ll see one of two things:– New protocols & ports– Greater dependence on web solutions

13


SMTP Authentication

• The MIT MSA supports Kerberos V5 for user authentication– A username/password may be tunneled within

SSL and checked with the KDC– A Kerberos credential may be presented

• GSSAPI• Only Eudora supports this

– Not supporting certificates at this time

• The recommendation is to make the authentication method symmetric between mail download (imap) and mail submission

14


SMTP Authentication: Messages

Received: from mit.edu (vw.mit.edu [18.18.18.18])(authenticated bits=0) (User authenticated as [email protected]) by melbourne-city-street.mit.edu (8.12.4/8.12.4) with ESMTP id h5UFAwaT002423 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NOT) for <[email protected]>; Mon, 30 Jun 2003 11:10:58 -0400 (EDT)

15


SMTP Auth Configuration Example

• Apple Mail

16


SMTP Auth Configuration Example

• Eudora

17


Other Challenges

• Outgoing supports email addressed from *.mit.edu rather than mit.edu– Many alumni are using this to keep their

@alum.mit.edu identity– We’ll have to do something here which may bring us

back to the alum.mit.edu vs. mit.edu issue• MTA’s masquerading as MSA’s

– They should stop doing that• Use of sendmail as an MSA

– Where possible, users should use apps with a built-in MSA (as opposed to mh->sendmail)

– Where possible, the MTA should be running on the client machine (eg. sendmail does direct delivery)

– possible certificate based solution for the rest

18


SMTP Authentication: Next Steps

• Solidify recommended configurations for known applications

• Modify configurations to use a flavor of smtp authentication by default

• Make this the recommended solution for existing users– Now we have an answer for ISP

problems• Campaign to have MIT users upgraded by

July 1, 2004

19


Viruses

• We are filtering several known viruses at the border– Looking for identifying signatures– CPU intensive

• Then came bugbear– No consistent signature to filter– Extension filtering (.scr, .pif, .exe)

remain most effective known measure although we are being a bit more precise than this for now

20


Where Do We End Up?

• Content filtering for viruses has proven less effective

• The only measure we have left is to prevent the delivery of all executable programs

• We can be proactive in getting the word out• Or, we can wait until a more advanced

version of bugbear is released when we’ll be forced to implement this anyway

• Let’s get the word out

21


Conclusions

• Authentication is good

• Viruses are bad

any questions?

1 Information Systems 7/1/03 Tom Coppeto MIT Mail System Security Issues 1 July 2003.

Documents

information systems

mail transport

systemsystem mail

smtp transport

mail abuse

mail access agent slide

tom coppeto ports

smtp port